This is mostly a preventative change than one based on actual issues encountered.
Removing from a collection that is being iterated over is not supported and should usually lead to a `ConcurrentModificationException` being thrown. Using an `Iterator` prevents this from happening.
Signed-off-by: nscuro <nscuro@protonmail.com>
* For portfolio analysis, don't fetch *all* projects at once, but in batches of 100.
* Regularly evict objects from the ORM's L1 cache to prevent excessive cache size.
* For project analysis, don't fetch *all* components at once, but in batches of 1000.
* Limit the fields being fetched from the database to only those needed for vulnerability analysis.
* When triggering a project analysis, only transmit the project's UUID via events, instead of all of its components.
* Deprecate `QueryManager#getAllProjects` for removal. This method is never the right choice, but is still used in a few places.
In addition, as byproducts of this refactoring:
* Add MDC variables to provide more context in logs emitted during vulnerability analysis.
* Remove event subscription for specific scanner events. Scanners are only ever invoked directly, never through the event system.
* Gracefully handle thread interrupts.
* Fix `CacheableScanTask#applyAnalysisFromCache` never being invoked.
Signed-off-by: nscuro <nscuro@protonmail.com>
The `/tag/{name}/project` endpoint did not add the provided tag to projects which already had tags assigned to them.
The `/tag/{name}/policy` and `/tag/{name}/notificationRule` endpoints replaced existing tags with the provided tag, which is not the intended behavior. Since only one tag can be provided via path parameter, the tag should be *added* to existing tags, not replace them.
Fixes#4539
Signed-off-by: nscuro <nscuro@protonmail.com>
Use DbUtil to check DB type, use Project.id instead of uuid in queries and don't delete tags, notifications or policies.
Signed-off-by: Mikael Carneholm <mikael.carneholm.2@wirelesscar.com>
Fields are no longer unloaded when a transaction commits (`DataNucleus.RetainValues` is enabled globally), as of https://github.com/stevespringett/Alpine/pull/552.
Signed-off-by: nscuro <nscuro@protonmail.com>
Ensure the field defaults to `true`, both in Java and the database. During upgrade, migrate all values that are currently `null` to `true`.
Solidify this change by switching `project.active` from `Boolean` to `boolean`. Adjust logic that previously had to check for `null`.
Fixes#4410
Signed-off-by: nscuro <nscuro@protonmail.com>
* Add validation to prevent invalid states of collection projects (prevent collection project having Components or services), including several unit tests covering these scenarios.
Signed-off-by: Ralf King <rkg@mm-software.com>
Modifies project metrics updates to consider collection project logics.
Added several events to trigger project metrics updates to update collection projects if child projects change in a relevant way.
Signed-off-by: Ralf King <rkg@mm-software.com>
*Simplify Boolean to boolean in Project and Policy and remove unncessary migration script part
*Move reads into transaction
*remove unnecessary index
*Rename ONLY_FOR_LATEST_PROJECT_VERSION to ONLY_LATEST_PROJECT_VERSION
Signed-off-by: Ralf King <rkg@mm-software.com>
Adds regression test for #3895. The behavior itself does not reproduce on `master`, but does with `4.11.5`.
Wraps the project cloning in a transaction to make it more reliable. Adds MDC variables for `CloneProjectTask` (#3234).
Fixes#3895
Signed-off-by: nscuro <nscuro@protonmail.com>
In order for the UI to distinguish between active or inactive project versions,
we need to include the active boolean field to ProjectVersion model
Signed-off-by: Aravind Parappil <aravindparappil@gmail.com>
When creating a project from json payload and the active field is
not specified it will now default to true instead of null.
This fixes an issue with projects not being assignable as parent projects
because they are "inactive".
Signed-off-by: Willie Nel <4620380+willienel@users.noreply.github.com>
As per CycloneDX specification, `metadata.manufacturer` refers to `metadata.component`, whereas `metadata.supplier` and `metadata.authors` refer to the BOM itself.
Keeping `manufacturer` in `ProjectMetadata` is awkward and confusing.
Signed-off-by: nscuro <nscuro@protonmail.com>
Also fixed:
* services not being cloned, despite `includeServices` being set to `true`.
* ACLs not being enforced for the `/clone` endpoint
And added tests for cloning that were previously missing.
Signed-off-by: nscuro <nscuro@protonmail.com>
